On 10/10/2014 02:42 PM, Manuel Alfonso López Rourich wrote:
Hello,
Thank you very much for your so quickly response, but I would prefer not
to change any OpenNebula script.
Anyway, I wonder why that simple configuration doesn't work. Could
someone who has integrated OpenLDAP groups with OpenNebula let us know
his configuration and OpenLDAP entry types?
this is very simple change :)
I believe the objecClass: groupofnames in openLDAP will work with
current opennebula implementation.
cheers,
marcin
Thank you very much
Best regards
2014-10-08 12:42 GMT+02:00 Marcin Stolarek <[email protected]
<mailto:[email protected]>>:
On 10/08/2014 12:32 PM, Manuel Alfonso López Rourich wrote:
Good morning,
I'd like to ask you about an issue with user authentication in
SunStone:
I've configured SunStone so that new users from an OpenLDAP
directory
can log in (the user is created automatically in OpenNebula). It
works
fine but when I configure *:group* in *ldap_auth.conf*, I can't
authenticate new users within a LDAP group. The error that ONE
throws is
clear (*"User ulopez is not in group
cn=grupo_nuevo,ou=ou_nueva,dc=__one,dc=es"*) but I don't know
what could
be do so that it works. The documentation about LDAP groups with
ONE is
not very clear for me.
The LDAP configuration is:
server 1:
:auth_method: :simple
:host: 10.12.0.3
:port: 389
:base: 'dc=one,dc=es'
# group the users need to belong to. If not set any user
will do
:group: 'cn=grupo_nuevo,ou=ou_nueva,__dc=one,dc=es'
# field that holds the user name, if not set 'cn' will be used
:user_field: 'uid'
# field name for group membership, by default it is 'member'
:group_field: 'memberUid'
# user field that that is in in the group group_field, if
not set
'dn' will be used
#user_group_field: 'gidNumber'
The directory entry for the group is the next one:
# extended LDIF
#
# LDAPv3
# base <cn=grupo_nuevo,ou=ou_nueva,__dc=one,dc=es> with scope
subtree
# filter: (objectclass=*)
# requesting: ALL
#
# grupo_nuevo, ou_nueva, one.es <http://one.es> <http://one.es>
dn: cn=grupo_nuevo,ou=ou_nueva,dc=__one,dc=es
gidNumber: 503
cn: grupo_nuevo
objectClass: posixGroup
objectClass: top
memberUid: ulopez
# us_nuevo_lopez, grupo_nuevo, ou_nueva, one.es <http://one.es>
<http://one.es>
dn: cn=us_nuevo_lopez,cn=grupo___nuevo,ou=ou_nueva,dc=one,dc=es
givenName: us_nuevo
gidNumber: 503
homeDirectory: /home/users/ulopez
sn: lopez
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1009
uid: ulopez
cn: us_nuevo_lopez
Thank you very much,
Best regards
_________________________________________________
Users mailing list
[email protected] <mailto:[email protected]>
http://lists.opennebula.org/__listinfo.cgi/users-opennebula.__org
<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
Currently openebula supports only scheme with "listofmembers" (not
sure if haven't make a mistake in name) objecClass.
You can use my patch:
https://github.com/cinek810/__one/commit/__925a124c96018aa8b4b44805aafa76__280830a461
<https://github.com/cinek810/one/commit/925a124c96018aa8b4b44805aafa76280830a461>
to support groups in memberUid format.
cheers,
marcin
_________________________________________________
Users mailing list
[email protected] <mailto:[email protected]>
http://lists.opennebula.org/__listinfo.cgi/users-opennebula.__org
<http://lists.opennebula.org/listinfo.cgi/users-opennebula.org>
_______________________________________________
Users mailing list
[email protected]
http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
